blob: 7e4fc6a5de5028d23c2188eb987ef2930f822da6 (
plain)
1
2
3
4
5
6
7
8
9
|
<p>It seems we are the only distros (with Mandriva) building syslinux with system libpng.</p>
<div class="gmail_quote">在 2011-9-30 上午2:41,"Erwan Velu" <<a href="mailto:erwanaliasr1@gmail.com">erwanaliasr1@gmail.com</a>>写道:<br type="attribution">> Le 28/09/2011 22:13, D.Morgan a écrit :<br>>> On Wed, Sep 28, 2011 at 9:56 PM, Erwan Velu<<a href="mailto:erwanaliasr1@gmail.com">erwanaliasr1@gmail.com</a>> wrote:<br>
>>> I'm currently updating Syslinux 4.04 and I'm currently facing a trouble as,<br>>>> historically speaking, we do remove the included libpng by the system one.<br>>>><br>>>> The compilation process fails. I was wondering if we really consider<br>
>>> replacing the libpng of syslinux as a security issue.<br>>>><br>>>> Sec team ? What's your opinion on it ?<br>>>><br>>>> Cheers,<br>>>><br>>> hi,<br>>><br>
>> i take my security hat on, we prefer when possible when we use the system libs.<br>>> i have not looked but which libpng is included ?<br>> <br>> It take the libpng-source to replace the current syslinux code.<br>
> <br>> The point is syslinux is a bootloader that obviously don't share libs <br>> with the rest of the system.<br>> Considering that we can attack the bootloader via a picture means you <br>> compromized the picture. If you can change the picture located at /boot, <br>
> means that you can compromize the booting parameters too.<br>> <br>> So if we take this road of removing bootloader's libs, shall we also <br>> remove the jpeg/gz/gcc/... libs too, and maybe for other bootloaders too ?<br>
> <br>> I do understand the need for the application that runs under linux... <br>> but about the bootloaders...<br>> <br>> What's your thoughts about it ?<br>> Would you agree on keep syslinux untouched regarding the png lib ?<br>
> <br></div>
|
